CVE-2022-3142
NEX-Forms < 7.9.7 - Authenticated SQLi
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
| CWE | CWE-89 |
| Vendor | unknown |
| Product | nex-forms – ultimate form builder – contact forms and much more |
| Published | Sep 19, 2022 |
| Last Updated | Aug 3, 2024 |
Stay Ahead of the Next One
Get instant alerts for unknown nex-forms – ultimate form builder – contact forms and much more
Be the first to know when new unknown vulnerabilities affecting unknown nex-forms – ultimate form builder – contact forms and much more are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Unknown / NEX-Forms – Ultimate Form Builder – Contact forms and much more
7.9.7 < 7.9.7
References
medium.com: https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5 wpscan.com: https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328 packetstormsecurity.com: http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.html
Credits
Elias Hohl